Cron jobs on Kerberized NFS

JurjenBokma

November 2013

Abstract

When $HOME is on Kerberized NFS, a cron job cannot just do I/O to $HOME without preparations.
This article shows the necessary preparations.

Create a keytab

To allow the cron job access to $HOME, you must create a keytab.
This keytab is worth a password in that whoever can read it can do anything you yourself could do to your homedir.
And you cannot put it in $HOME, as CRON cannot read it from there in the first place.
So put in in /tmp, /var/tmp, or the like...

... because if you did, cron would start a shell, arrange the redirection of stdin and stdout, and only then would it start kinit.
Thus, the shell would wait for I/O forever, lacking permission, and never get to the kinit part.
It doesn't matter that kinit would later proceed to get the very permission its parent is waiting for.
It just never gets to that point.
To make matters worse, cron would start many of these processes, and none would ever finish.

Permission on $HOME is only available to kinit itself and its children.
So you have to arrange the redirection inside myscript.sh itself.

Warning

Although Active Directory is 'case agnostic', it may be necessary here to use the precise principal name that is in the AD LDAP.
So not 'Krb-Username' if AD thinks it is 'KRB-USERNAME'.